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Abstract 



Suppose that there are n Senders and n Receivers. Our goal is to send long messages 
from Sender i to Receiver i such that no other receiver can retrieve the message intended 
for Receiver i. The task can easily be completed using n private channels between the 
pairs. Solutions, using one channel needs either encryption or switching elements for 
routing the messages to their addressee. 

The main result of the present work is a description of a network in which The Senders 
and the Receivers are connected with only n"' 1 ' channels; the encoding and de-coding 
is nothing else just very fast linear combinations of the message-bits; and there are no 
switching or routing-elements in the network, just linear combinations are computed, 
with fixed connections (channels or wires). 
1 In the proofs we do not use any unproven cryptographical or complexity theoretical 

, assumptions. 



1 Introduction 



^ ■ Suppose that there are given n Senders Si, S2, . . . ,S n and n Receivers Ri,R<z, ■ ■ ■ , R n - Our 

goal is to send long messages from Si to Ri, for i = 1, 2, . . . , n such that 

(a) Ri can easily retrieve the message of Si, for i = 1, 2, . . . , n 

(b) Ri cannot retrieve the message of Sj for any j ^ i. 

An obvious method for doing this is connecting Si with Ri with private channels, that 
is, we need n parallel channels for the n Senders and the n Receivers. The advantage of this 
solution is that n bits can be sent in parallel, and the transmission is private, in the sense 
that Ri receives only the transmission of Si, for i = 1,2, ... ,11. 

Another obvious solution is that all the Senders and Receivers use the same channel, and 
they transmit their messages one after the other, but in this case some sort of encryption 
should be used for the maintaining the privacy of the transmission. 

The main result of the present work is a description of a network in which 

(i) The Senders and the Receivers are connected with only channels 1 
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1 Here o(l) denotes a quantity which goes to as n goes to the infinity. 
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(ii) The encoding and de-coding is nothing else just linear combinations of the message-bits, 
and this linear combinations can be computed very fast, 

(iii) There are no switching or routing-elements in the network, just linear combinations are 
computed, with fixed connections (channels or wires), 

(iv) Ri cannot learn much about any bit of the message of Sj for any j ^ i, and can learn 
only a negligible amount of information on longer messages of Sj] 

(v) In the proofs we do not use any unproven cryptographical or complexity theoretical or 
any other assumptions. 



2 Preliminaries 
2.1 The dot-product 

We have defined the alternative, and the 0-a-strong and the 1-a-strong representations of 
polynomials in [2]. Note that the 0-a-strong representation, defined here, coincides with the 
a-strong representation of the paper pQ. 

Note also, that for prime or prime-power moduli, polynomials and their representations 
(defined below), coincide. That may be the reason that such definitions were not given prior 
to 0. 

Definition 1 Let m be a composite number m = p^p^ ■ ■ ■ p e / ■ Let Z m denote the ring of 
modulo m integers. Let f be a polynomial of n variables over Z m : 

f(xi, x 2 , ■ ■ ■ ,x n ) = ^2 ajxj, 

7C{l,2,...,n} 

where aj G Z m , xj = Yli e j Xi. Then we say that 

g(x 1 ,x 2 ,...,x n ) = h i x ii 

7C{l,2,...,n} 

is an 

• alternative representation of f modulo m, if 

V/C {1,2,..., n} 3j G {1,2,..., £} : oj = 6/ (mod^); 

• 0-a-strong representation of f modulo m, if it is an alternative representation, and, 
furthermore, if for some i, aj ^ bj (mod p^ 1 ), then bi = (mod pf l ); 

• 1-a-strong representation of f modulo m, if it is an alternative representation, and, 
furthermore, if for some i, aj ^ bj (mod p^ 1 ), then aj = (mod m); 

Example 2 Let m = 6, and let f(xi,X2,xs) = x\x 2 + x 2 xz + x\x^, then 

g(x 1 ,x 2 , , x 3 ) = 3xix 2 + 4x 2 x 3 + x±x 3 
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is a O-a-strong representation of f modulo 6; 

g(xi,x 2 , , £3) = xix 2 + x 2 x 3 + X1X3 + 3x1 + 4x 2 
is a 1-a-strong representation of f modulo 6; 

g(x 1 ,x 2 , , x 3 ) = 3xix 2 + 4x 2 x 3 + X1X3 + 3x\ + 4x 2 
is an alternative representation modulo 6. 

In other words, for modulus 6, in the alternative representation, each coefficient is correct 
either modulo 2 or modulo 3, but not necessarily both. 

In the O-a-strong representation, the coefficients are always correct both modulo 2 and 
3, the non-zeroes are allowed to be correct either modulo 2 or 3, and if they are not correct 
modulo one of them, say 2, then they should be mod 2. 

In the 1-a-strong representation, the non-zero coefficients of / are correct for both moduli 
in g, but the zero coefficients of / can be non-zero either modulo 2 or modulo 3 in g, but not 
both. 

In |2j we proved the following theorem: 

Theorem 3 (i) Let m = p\p 2 , where p\ 7^ p 2 ar ^ primes. Then a degree-2 1-a-strong 
representation of the dot-product 

n 

f(xi,X2, ■ ■ .,x n ,yi,y 2 , ...,y n ) = ^XiVi 

i=i 

can be computed with 



exp(0(v/log n log log n)) (2) 

multiplications. 

(ii) Moreover, the representation of (i) can be computed on bilinear SIIS circuits of size 
(2). 

In other words, we have shown, that instead of the usual dot-product 

n 

i=l 

we can compute a polynomial of the form 

n 

^Xiyi + 3g(x,y) +Ah(x,y) (3) 
i=l 

where both g and h has the following form: 

^2 aijXiUj, aij mod 6 G {0, 1}, 

and no term Xiyj appears in both / and g. 

Moreover, by (ii), (3) can be computed as the sum: 

(it b v Xi I (it W J ( 4 ) 
j=i \i=\ ) / 

where 6y, G {0, 1} and t = exp(0(y / log n log log n)) = n ^ 1 ). 
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3 The main idea 

In this short preliminary report we are dealing with only the case, when the modulus is 6. 
Our results can easily be generalized for other non-prime-power composite moduli as well. 

Polynomial (3) can be computed in form (4). Let us consider a fixed x € {0, l} n , and let 
us compute z = [z\,Z2, ■ ■■ ,zt) € {0, 1,2,3,4,5}', where 

n 

Zj = ^2 bijXi mod 6 (5) 
i=i 

that is, simply a linear combination, determined by (4), for j = 1,2,... , t. Or, in matrix 
notation, where B = {hj} denotes an n x t matrix, 

z = xB mod 6. 

Certainly, different x's may lead to the same z, since t = « n. 
Now, from (4), the 1-a-strong representation of the dot-product of x with any substitution 
of the y's can be computed from the t = values of z. In particular, plugging in 

i 

yW = (0,0,...,"T,0,...,0), 
we will get modulo 6 the following polynomial: 

Xi + 4(xij + xi 2 H h x it ) + 3(x jl + Xj 2 H h x jk ) (6) 

where different indices denote different numbers. 

Or, in other words, with the notation of C = {cij} as an n x t matrix of Cjj entries from 

(4), 

x' = x + AxU + 3xV = xBC T = zC T ', 
where U and V are some n x n 

4 Hyperdense transmission 

We describe the transmission-protocol in rounds. In every round, every sender Si will transmit 
securely a bit Xi to the corresponding receiver, Ri, i = 1, 2, . . . , n. In u consecutive rounds, 
every sender will send u bits, that is, sending u-bit messages needs u rounds of the following 
protocol. 

A round is performed as follows: 

Step 1 - Encoding - From the bits of x = (x±, X2, ■ ■ ■ , x n the mod 6 integers z = 
(z±, Z2, ■ ■ ■ , z t ) is computed by linear combinations taken modulo 6: 

z = xB mod 6, 

Step 2 - Transmission - The mod 6 numbers z±, Z2, ■ ■ ■ , zt are sent on t channels to the 
receivers. 

Step 3 - Decoding - The linear transformation x' = {x'i zC T is computed 

modulo 6 at the receivers' side, and number x\ is given to receiver i = 1,2, ... ,n. (Note, 
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that because of the obvious information-theoretical reasons, generally it is not possible to 
retrieve bit Xj from integer x'l). 

Step 4 - Pre-Filtering - A random ir : {1, 2, . . . , n) — ► {1, 2, . . . , n} permutation is gener- 
ated at the senders's side. Then for j = 1,2, ... ,n, if x n ^ is 1, then Steps 1, 2 and 3 are 
repeated for x n ^) £ {0, l} n instead of x, where x 71 "^ coincides with x, except on position 
whereas x n ^ is 0. Let x'( denote the coordinate i of x 7T ^BC T . On the other hand, if 
x^(j\ is 0, then nothing happens. 

Step 5 - Post-Filtering - Now, receiver Ri stores value x\ in its memory, and, additionally, 
sets register r, L = x\, and follows the following program after receiving any new x'l, originating 
in Step 4: 

if x'l = x\ it does nothing; 

if x'l = x\ — 1 then R, L concludes that Xj = 1; 

if x'l = x\ — 3 then sets r j = r ; L — 3 mod 6; 

if x'l = x\ — 4 then sets r i = r ; L — 4 mod 6; 

if Ri never got in the round an x'l for which x'l = x\ — 1, then it concludes that X{ = 0. 

After finishing the repetitions described in Step 4, the value of Xi and the mod 6 value of 
ri should be the same; otherwise Ri outputs: ERROR. This property can also be used for 
error-detection in the protocol. 

Theorem 4 After performing one round, receiver Ri retrieves the bit xi, for i = 1,2, ... ,n. 

Proof: Clearly, x\ is equal to quantity (6); so decreasing any non-zero Xj in the sum of (6) 
by 1, leads to either a decrease of 1 of the sum (in the case when exactly Xj was decreased, 
or by (when an Xj was decreased with a coefficient in (6)), or by 4 or 3 modulo 6, (when 
the coefficient of the decreased variable was 4 or 3, respectively). If we subtract from x\ all 
the Xj's with coefficients 3 or 4, then x\ will remain. □ 

4.1 An alternative filtering method 

The following modification of the filtering steps of the protocol relies on the fact that if we 
one-by-one increase the value of r, then 3r will have period 2, and 4r will have period 3 
modulo 6, but r itself will have period 6, modulo 6. 
So, we can modify Steps 4 and 5 as follows: 

Step 4' - Pre-filtering-variant- A random it : {1, 2, . . . , n} — ► {1, 2, . . . , n} permutation is 
generated at the senders's side. Then for j = 1, 2, . . . , n, if x n r^ is 1, then Steps 1, 2 and 3 
are repeated for six values of x n ^) £ {0, 1, 2, 3, 4, 5} n instead of x, where x n ^) coincides with 
x, except on position whereas x n ^ is takes on values 0,1,2,3,4, and 5, one after the 

other. Let x'l denote the coordinate i of x n ^BC T . On the other hand, if x n ^ is 0, then 
nothing happens. 

Step 5' - Post-Filtering- variant - Receiver Ri stores value x' { in its memory, and follows 
the following program after receiving the 6 new xf s in Step 4: 

if if the period of x'l is 6 then Ri concludes that x« = 1; 
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if if the period of x'( is less than 6 then it does nothing 

If it never realized in the turn that the period is 6, then Ri concludes that Xj = 0. 

Note, that this filtering method can be more applicable than the original in electrical- 
engineering applications. 

5 The Security of the network 

The security of the network-protocol relies on the independently generated random permu- 
tations 7T in each round. 

Let us review, what Ri can learn from the bits, addressed to others. Clearly, Ri will know 
the number of the 1-bits with coefficient 4 and also the number of the 1-bits with coefficient 
3 in (6), but Ri will not know the identity of the 1-bits. 
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